Bug 42780 – univentionPWLength or univentionPWHistoryLen left empty breaks passwordchange for users

Bug 42780 - univentionPWLength or univentionPWHistoryLen left empty breaks passwordchange for users


Summary:	univentionPWLength or univentionPWHistoryLen left empty breaks passwordchange...

Status:	CLOSED DUPLICATE of bug 51354

Product:	UCS
Classification:	Unclassified
Component:	Password changes
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:	51354
	Show dependency tree / graph

Reported:	2016-10-27 14:22 CEST by Jens Thorp-Hansen
Modified:	2022-03-08 09:31 CET (History)
CC List:	2 users (show)

See Also:	44584
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.023
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2016102621000533
Bug group (optional):	Error handling, External feedback
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jens Thorp-Hansen

2016-10-27 14:22:56 CEST

if in the password-policy for a user the values for univentionPWLength or univentionPWHistoryLen are left empty (instead of i.e. "0") this user cannot change his password. 

kpasswd throws:

Soft error : External password quality program failed: Traceback (most recent call last): [no traceback appears...]

The strace - traceback points to the solution: 
7604  read(13, "Traceback (most recent call last):\n  File \"/usr/share/univention-heimdal/check_cracklib.py\", line 64, in <module>\n    pwdCheck = univention.password.Check(None, params['principal'])\n  File \"/usr/lib/pymodules/python2.7/univention/password.py\", line 51, in __init__\n    self._userPolicy(username)\n  File \"/usr/lib/pymodules/python2.7/univention/password.py\", line 96, in _userPolicy\n    self.history_length=int(policy_result['univentionPolicyPWHistory']['univentionPWHistoryLen']['value'][0])\nKeyError: 'univentionPWHistoryLen'\n", 4096) = 527

The related codesnippet from the password.py:
                policy_result = self.lo.getPolicies(dn)
                if policy_result.get('univentionPolicyPWHistory'):
                        self.min_length=int(policy_result['univentionPolicyPWHistory']['univentionPWLength']['value'][0])
                        self.history_length=int(policy_result['univentionPolicyPWHistory']['univentionPWHistoryLen']['value'][0])
                        if policy_result['univentionPolicyPWHistory'].get('univentionPWQualityCheck'):
                                univentionPasswordQualityCheck = policy_result['univentionPolicyPWHistory']['univentionPWQualityCheck']['value'][0]
                                if univentionPasswordQualityCheck.lower() in ['yes', 'true', '1', 'on' ]:
                                        self.enableQualityCheck = True
                self.pwhistory = self.lo.search(base=dn, attr=['pwhistory'])[0][1].get('pwhistory')

Comment 1 Florian Best

2016-10-27 14:28:23 CEST

Traceback (most recent call last):
  File "/usr/share/univention-heimdal/check_cracklib.py", line 64, in <module>
    pwdCheck = univention.password.Check(None, params['principal'])
  File "/usr/lib/pymodules/python2.7/univention/password.py", line 51, in __init__
    self._userPolicy(username)
  File "/usr/lib/pymodules/python2.7/univention/password.py", line 96, in _userPolicy
    self.history_length=int(policy_result['univentionPolicyPWHistory']['univentionPWHistoryLen']['value'][0])
KeyError: 'univentionPWHistoryLen'

Comment 2 Florian Best

2016-10-27 14:33:43 CEST

The reason is a univentionPolicyPWHistory without set univentionPWHistoryLen.

You can find the objects which are causing this with the following command:
univention-ldapsearch '(&(objectClass=univentionPolicyPWHistory)(!(univentionPWHistoryLen=*)))' -LLL

I guess this command can be used to create such a pwassword history policy:
udm policies/pwhistory create --position cn=pwhistory,cn=users,cn=policies,$(ucr get ldap/base) --set name=foo

Comment 3 Stefan Gohmann

2019-01-03 07:18:51 CET

This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.

Comment 4 Florian Best

2022-03-08 09:31:53 CET


*** This bug has been marked as a duplicate of bug 51354 ***